Rule name: test4
Command category: all
Host Groups: tempsudo
Client dbduwdu062 is matched in the rule by both the hosts and groups entry.
Netgroups: files sss
Getent netgroup tempsudo returns:
[jmacklin@dbduwdu062 Desktop]$ getent netgroup tempsudo
tempsudo (dbduwdu063.dbr.roche.com, -, dbr.roche.com)
(dbduwdu062.dbr.roche.com, -, dbr.roche.com)
To the previous ldapsearch request:
[jmacklin@dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
additional info: Entry permanently locked.
I am still scratching my head on this one...
If you look closely, the reason that your admin works is because it appears to
be matching a sudo rule who has the "ALL" hosts value set.
When you run the non working user, it is attempting to match the
hostname/hostgroup to the rule and fails to do so.
Try this. Type: getent netgroup hostgroupname <- your host's hostgroup goes
^ that command should return all of the hosts in your hostgroup. If it does
not, then check /etc/nsswitch.conf and make sure that netgroup is set to use
You will also need to make sure that the output of: domainname or nisdomainname
matches your expected domain.
Let me know how things look after trying that.
Freeipa-users mailing list